The allegation is contained in a motion filed Aug. 30 in the lawsuit, which is being considered in U.S. District Court in Portland. The motion also alleges Premera failed to preserve data loss prevention logs that may have indicated exfiltration.

The motion is asking a federal judge to instruct the jury at trial to assume that data exfiltration occurred. It also seeks to prevent any experts from testifying that no data exfiltration occurred.

Efforts to reach Premera officials weren't immediately successful. But a spokesman tells ZDNet the company disagrees with the motion and that it does "not believe the facts justify the relief plaintiffs have requested." The company plans to file a response, the spokesman says.

Missing: A23567-D

Premera Blue Cross announced in March 2015 that a cybersecurity incident had potentially exposed personal data for 11 million people, including Social Security numbers, bank account information, claims and clinical information (see Another Massive Health Data Hack).

FireEye's Mandiant incident response unit, which discovered the intrusion in January 2015, determined the attack took place in May 2014, meaning attackers may have had access for as long as eight months.

The data on the machine, dubbed A23567-D, is deemed by the plaintiffs as important in proving that personal data ended up with unauthorized parties. The motion contends that a preliminary analysis by Mandiant showed the computer to be central in exfiltrating data.

"Any files or remnants the hackers left on A23567-D during those contacts are now permanently lost, along with plaintiffs' chance to show evidence of exfiltration though the logs stored on the device," the motion contends. "Without access to that hard drive, trying to prove that the hackers removed Plaintiffs PII [personally identifiable information] and PHI [protected health information] through that computer is impossible."

A23567-D was one of 35 computers that showed sign of tampering as a result of the intrusion, the motion says. It was a key computer, as it belonged to a developer and had privileges for some of the company's most important databases.

The motion says that Mandiant analysts found that it was the only one of 35 computers to contain a type of malware called PHOTO, the motion says. The malware could be used to upload and download files, modify the registry and processes and execute programs.

Mandiant found that the intruders had daily contact with A23567-D between July 2014 and January 2015. The A23567-D communicated with a domain, www[.]presecoust[.]com, the motion says.

"The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera's network," the motion says. "This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose."

As a resultm "only A23567-D's destroyed hard drive could show what the hackers left behind during those contacts," the motion says.

Where's Computer #35?

Last November, lawyers for the plaintiffs asked for the forensic images of the 35 computers. However, Premera could only provide images for 34, saying the 35th had been destroyed, the motion says.

The motion alleges that Premera "willfully" destroyed A23567-D. According to Premera's discovery filings as quoted in the motion, however, its destruction appears to have been a mistake.

While Mandiant sequestered the other 34 computers, A23567-D was "unintentionally filed as end of life," Premera contended. It remained unused and offline for a year within Premera's Client Technology Services.

Eventually, it was sent to Premera's personal computer distribution center on in September 2016 and was listed as destroyed on Dec. 16, 2016.

The plaintiffs see that as a big problem for their case when going to trial.

"Essentially, Premera maintains a 'no harm, no foul' defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera's system," the motion says. "Plaintiffs dispute Premera's theory, and allege that harm was done to every member of the Class when their sensitive information was exposed to an unauthorized third party - namely, the hackers."

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.